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© Access to a vehicle by a remote electronic key 
(14) via a radio link is secured by an exchange of 
encrypted signals. A remote unit (14) having a secret 
number (S) is introduced to a base unit (12) and a 
common key (P) is agreed upon by an exponential 
key exchange. The common key (P) is encrypted 
using the secret number (S) and stored in the base 
unit (12). Thereafter, the base unit (12) is able to 
authenticate the identity of the remote unit (14) by 
sending the encrypted common key (Q) and a ran- 
dom number (R) to the remote unit (14) which de- 
crypts the key (Q) and uses it to encrypt the random 
number (R). The random number (R) is also encryp- 
ted in the base unit (12) and compared with the 
encrypted random number (X) from the remote unit 
(14). 
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This invention relates to a method of providing 
a remote accessing system applicable, for exam- 
ple, to automotive vehicle entry. 

It is well known to use digitally encoded signals 
over a radio link to open garage doors or unlock 
vehicle doors, for example, from a remote transmit- 
ter. Commonly, systems employing such control 
methods have a remote unit which may be carried 
in ones pocket or on a key chain and have a button 
which is pressed to issue a command signal. It is 
very desirable to make such systems secure from 
unauthorized use. This is especially important 
when the remote transmitter is used not only to 
unlock a vehicle door but also to actuate the ve- 
hicle ignition. When the signals are transmitted by 
radio frequency waves, it is possible to intercept 
these signals and then to record them for later 
retransmission to operate the vehicle. More elabo- 
rate signalling procedures are needed to preclude 
such possibilities. 

Encryption has been used for secure commu- 
nications in areas of national security or for com- 
puter security, for example. To achieve the highest 
security, a number of methods have recently been 
adopted. A number of recent developments are 
described in the paper by Diffie, "The First Ten 
Years of Public-Key Cryptography", Proc. IEEE, 
Vol.76, No. 5, May 1988, pp560-577, the disclosure 
of which is incorporated herein by reference. The 
RSA public key system described therein is a 
widely accepted security measure which might be 
used for vehicle security, although it involves very 
large key numbers and an amount of computation 
which is beyond the operating time and power 
constraints of an automotive system with a small 
remote unit A precursor of the public key system, 
also described by Diffie, is the exponential key 
exchange. This is used along with other cryp- 
tographic techniques in the system described be- 
low. The RSA system public key system may also 
be used when a smaller key number is acceptable 
for the required level of security. 

The present invention seeks to provide an im- 
proved method of providing a remote accessing 
system. 

According to an aspect of the present inven- 
tion, there is provided a method of providing a 
remote accessing system as specified in claim 1. 

It is possible with the present invention to pro- 
vide a system in which one or more of the follow- 
ing may apply: 

1. It has an arbitrarily high level of security even 
if all communications can be monitored and all 
aspects of the design are known. 

2. The remote unit cannot be copied or imitated 
even with physical access to the unit. 

3. One remote unit may be used with an unlim- 
ited number of base units. 



4. Compromise of one base unit shall not com- 
promise other uses of the same remote unit 

5. No operator input is needed beyond sign-up 
initiation. 

5 6. Ail functions other than radio transmission can 

be implemented by a single IC for each unit 
which can operate at very low power and com- 
plete the normal functions in a fraction of a 
second. 

to In a practical embodiment, there is provided a 

method of encrypted communication comprising 
the steps of: registering the remote unit with the 
base unit by establishing a common key by com- 
munication between the base unit and the remote 

75 unit, and storing the common key and an encryp- 
ted form of the common key in the base unit; then 
authenticating the remote unit by encrypting a ran- 
dom number with the common key in the base 
unit, passing the encrypted common key and a 

20 challenge number from the base unit to the remote 
unit wherein the challenge number comprises the 
random number or the encrypted random number, 
decrypting the common key in the remote unit, 
operating on the challenge number with the com- 

25 mon key in the remote unit, and comparing the 
results. 

An embodiment of the present invention is 
described below, by way of illustration only, with 
reference to the accompanying drawings, in which: 
30 Figure 1 is a schematic diagram of a remote 
access system for an automotive vehicle; 
Figure 2 is a diagram of base unit and remote 
unit modes for the system of Figure 1 ; 
Figure 3 is a diagram of an embodiment of 
35 initialization operations; and 

Figures 4 and 5 are diagrams of an embodiment 
of authentication operations. 
The ensuing description is directed to a secu- 
rity method and system designed for use in unloc- 
40 king vehicle doors and/or ignition switches by an 
electronic key coupled to the vehicle by a radio 
link. The same electronic key or remote unit can be 
used with an unlimited number of base units to 
gain access to home, office or other vehicles, for 
45 example. It will be apparent, however, that the 
method is applicable as well to other uses such as 
signal transmission within a vehicle, computer sys- 
tem security, vehicle identification for toll payments 
or car rental returns, for example, among other 
so uses. 

Figure 1 shows a vehicle 10 equipped with a 
remote access system including a base unit 12 in 
the vehicle and a remote unit 14 typically carried in 
the vehicle driver's pocket or purse. The units are 
55 coupled by radio communication effective over a 
short distance. As indicated by dotted lines 16 
adjacent each vehicle door handle 18 and lines 20 
adjacent the vehicle boot, minimum distances of 
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only a few feet are required although a larger 
radius of communication may be provided. It is 
intended that when the driver carries the remote 
unit within radio range of the base unit the system 
will automatically act to unlock the door without 
activation by the operator, provided that the iden- 
tification of the remote unit can be verified. In some 
applications the units are activated only when the 
driver touches or tries to operate the door handle 
18. 

A randomly chosen secret key code S, at least 
56 bits long, and a unique identification code ID are 
permanently programmed in the remote unit 14 
(using an EPROM) at the time of manufacture. By 
choosing the secret key code S from a very large n 
number of possibilities, it is effectively unique but it 
is only necessary that there be no way to decipher 
it. In particular, the manufacturing equipment that 
programs the remote units with their unique iden- 
tification code ID and secret key code S must 2c 
destroy all memory of the secret key code S after 
it has verified proper programming. To keep the 
key code S secret, another bit is programmed into 
the key code S which prevents it from being read 
or changed. ** 25 

The base unit 12 and the remote unit 14 op- 
erate in various modes as indicated in Figure 2. 
The units must first be initialized to select ran- 
domly a common key code and to register the 
identification code ID of the remote unit 14 with the 30 
base unit 12. This mode is authorized by operator 
input such as by entry of an access code on a 
keyboard in the vehicle. No other mode requires 
operator input. The initialization occurs only once 
to introduce a remote unit 14 to a base unit 12, 35 
however, when a remote unit 14 is used with more 
than one base unit 12 or when a base unit 12 is 
used with more than one remote unit 14, an initial- 
ization must take place for each pair of units. 

After being initialized, the remote unit 14 as- 40 
sumes a sleep state for low power consumption. 
When the remote unit 14 enters the radio range of 
the base unit 12, a wake-up mode is entered 
wherein a signal from the base unit 12 wakes up or 
alerts the remote unit 14 to prepare its circuits for 45 
interrogation. This starts the identification mode. 
Then the base unit 12 sends out identification 
signals corresponding to the various remote unit's 
identification codes stored in the base unit 12. If an 
identification signal matches the identification code 50 
ID of the particular remote unit 14 in its range,- the 
remote unit 14 responds that a match has been 
made. The authentication mode is then entered to 
verify that the remote unit 14 is indeed an au- 
thorized unit. During this mode, an exchange of 55 
encrypted signals based on the previously estab- 
lished secret key code S takes place. 

After the wakeup, the general approach is for 



the base unit 12 first to identify which, if any, of 
several authorized remote units 14 is in its vicinity 
by a conventional polling scheme. The base unit 12 
then requests the remote unit 14 for information 
that only the legitimate remote unit 14 can have. 
The request and correct response must be different 
each time to prevent accepting the playback of a 
previous correct response. The correct response 
must not be related to the request in a simple way. 
For a secure system, it should not be possible to 
deduce the correct response with full knowledge of 
the system and all previous communications. 

Cryptographic techniques provide means to ac- 
complish this. A cryptosystem performs a com- 
plicated transformation from input to output under 
the control of a variable called the key(s). Knowing 
the correct key, it is possible to do the inverse 
transformation and recover the original input. For 
an ideal cryptographic system (cryptosystem) there 
should be no better way to determine the input 
from the output than trying all possible keys. By 
making this number large enough, it becomes un- 
feasible to break the key even using a very high 
speed computer. An example of such a system is 
the data encryption standard (DES) approved by 
National Bureau of Standards and National Security 
Agency as suitable for computer data security, 
electronic funds transfer, etc. short of national se- 
curity. DES uses a 56-bit key giving about 72 
quadrillion possibilities. 

Conventional cryptosystem s, such as DES, use 
the same key for both encryption and decryption. 
Each pair needing to communicate securely must 
have an individual key known to both but not any- 
one else. Security is a matter of keeping this 
private key secure. Public key cryptosystems use 
different keys for encryption and decryption where 
one cannot be easily derived from the other. The 
degree of difficulty can be made arbitrarily high by 
making the keys sufficiently long. 

The stated objectives can be met while staying 
within the constraints of low power consumption 
and quick response with a combination of a private 
key cryptosystem and either the RSA public key 
system or the exponential key exchange previously 
mentioned and which is set forth in U.S. Patent No. 
4,200,770. Exponential key exchange allows a re- 
mote unit and base unit to agree mutually upon a 
private key over an unsecured channel as follows. 
The remote unit and base unit each secretly select 
a number, F and B, respectively. They then com- 
pute M F .mod.N and M B .mod.N, respectively, where 
N is a large prime number and both M and N are 
known to everyone. They exchange answers and 
then compute P = (M B .mod.N) F .mod.N and P = - 
(M F .mod.N) B .mod.N, respectively. They each arrive 
at the same value, P = MB.mod.N, from a different 
combination of secret and public information. An 
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eavesdropper cannot derive this value because of 
the difficulty of deriving F or B from M F .mod.N or 
M B .mod.N for large N. P is then shortened to the 
proper length and used as the private key for this 
particular remote unit and base unit pair. 

To assure difficulty of deriving F or B, it is 
preferred that they have a length of several hun- 
dred bits, although a practical system may have 
only about 256 bits. While the base unit 12 may 
have a random number generator, this is not desir- 
able for the remote unit 14. To provide such a 
large number having a random nature, a small 
random or pseudo-random seed number is pro- 
vided by the base unit 12 and passed to the 
remote unit 14. This seed is operated upon in 
conjunction with the secret key S to generate a 
number having 256 bits which is used as the 
exponent F. 

To allow a single remote unit 14 to operate 
with an unlimited number of base units 12 (using 
an unlimited number of different valves P) the 
remote unit 14 does not store its copy of P. It lets 
the base unit do the storage. The remote unit 14 
first encrypts its copy of P using the built in secret 
key, S, to give Q = S(P) then passes Q over the 
radio link to the base unit 12. The base unit 12 
stores Q along with its copy of P and the remote 
unit ID in its table of authorized users. This con- 
cludes the initialization or sign-up procedure. 

The initialization is shown in Figure 3 which 
illustrates the operations in each of the base and 
remote units and the communications there- 
between. First the base unit 12 transmits the seed 
A to the remote unit 14 which derives the exponent 
F from the key code S and A while the base unit 
12 selects an exponent B. Then, each unit cal- 
culates the particular remainder for its respective 
calculated exponential and transmits only the re- 
mainder to the other unit. Each unit calculates P by 
combining the local remainder and the received 
remainder. The base unit 12 stores P while the 
remote unit 14 encrypts P using secret key S and 
passes it to the base unit 12 for storage. The ID is 
passed to the base for storage as well. 

Other methods of selecting a common key 
may be used. The prime requisite is that the units 
agree on a randomly selected key in a secure 
manner. Public key cryptography may be used for 
this purpose. Public key cryptosystems use dif- 
ferent keys for encryption and decryption where 
one cannot be easily derived from the other. The 
above mentioned RSA public key system is suit- 
able. The public key system is used to commu- 
nicate a common key for the base and remote 
units and the key is encrypted by the remote unit 
and stored in the base unit as described above. 

After the remote unit is registered with the 
base unit as an authorized user, the remote unit 



can forget everything except the secret key, S, and 
its identification code ID. When the base unit wish- 
es to challenge the remote unit to prove its identity, 
it passes to the remote unit the encrypted private 

5 key, Q, and a random number, R. This pair of 
numbers comprises the challenge. The remote unit 
uses its secret key to decrypt Q to give P = S'(Q). It 
then uses P to encrypt R to give X = P(R) which it 
returns to the base unit 12. Meanwhile the base 

10 unit 12 uses its copy of P to encrypt R to give 
X = P(R). The base unit 12 compares the X's and, if 
they match, the remote unit 14 is accepted as 
authentic. 

The authentication method (as well as the ID 

75 interrogation) is shown in Figure 4 which illustrates 
the operations in each of the base and remote 
units. The base unit 12 has stored therein the key 
P, the identifiction code ID and the encrypted key 
Q while the remote unit 14 has stored therein the 

20 identification code ID and key S. The base unit 12 
transmits the ID and the remote unit compares it 
with its ID, and if there is a match, a reply is 
transmitted to the base unit 12. When no reply is 
received, the next ID stored in the base unit 12 is 

25 transmitted. When a reply is received, a random 
number R is generated and sent to the remote unit 
14 along with the Q which corresponds to the ID 
which was matched in the remote unit 14. The 
remote unit 14 decrypts Q to get P and encrypts R 

30 to get X and passes it to the base. In the meantime 
the base unit 12 also encrypts R to get X and 
compares the two X's. 

Figure 5 shows a variant on the above de- 
scribed authentication operation. Here, R is encryp- 

35 ted to get X and the challenge comprises X and Q 
which are both decrypted in the remote unit 14 to 
obtain R which is passed to the base unit 12 and 
compared with the original R to determine whether 
there is a match. 

40 To provide tolerance to faulty communications, 

two different strategies are used. Some commu- 
nications, such as the challenge and key exchange, 
must be perfect because the encryption process 
has the effect of randomizing the entire output if 

45 any input bit is changed. When communications 
are usually good but sometimes very bad and 
retransmission is possible, error checking can be 
more effective than error correction coding. A 
cyclic redundancy check with retransmission on 

50 request is preferred for critical messages. 

For other -communications close is good 
enough. The correct response to the challenge is 
already known to the base unit. The probability of a 
random response having 90% of a total of 64 bits 

55 correct is about 1 in 200 billion. During polling the 
remote unit is looking for its specific ID. By select- 
ing the ID's properly at the time of manufacture, all 
ID can be guaranteed to differ by some number of 
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bits. For example 67 million 32 bit ID's can made 
to differ by at least four bits. The remote unit can 
answer to an ID that comes within 1 or 2 or even 3 
bits of its own with very high confidence. This is a 
passive form of error correction. Similarly, the final 5 
comparison step of the authentication procedure 
does not have to require an exact match of all bits 
so long as there is a high probability that the 
remote unit determined the correct value in re- 
sponse to the challenge. 1C 

Both security and economic needs can be met 
by putting all the functions except the radio tran- 
sceiver on a single IC. Secret information cannot 
be extracted from the IC without destroying it and 
then it is extremely difficult The base unit 12 15 
performs many of the same functions as the re- 
mote unit 14. The IC can be designed to do either 
by providing a mode selection and host computer 
port. The base unit 12 contains a host computer to 
interface to the vehicle and to maintain the au- 20 
thorization list. The host port can also facilitate 
production testing. 

It is not necessary to include a random number 
generator in the IC. For the base unit 12, a host 
computer can perform this function in software. 25 
The remote unit 14 does not need its own random 
numbers. During sign-up, the remote unit 14 needs 
a seed number which is different each time. As 
described above, a different number is provided by 
the base unit 12 and the remote unit 14 makes it 30 
secret by encrypting it with the secret key S. The 
number is both unpredictable and secret without an 
explicit random number generator. 

Only the correct remote unit 14, the one with 
which keys were initially exchanged, can provide 35 
the correct answer because only it has the correct 
key code S to transform Q to P. In effect, the key 
code S is only used by the remote unit 14 itself at 
a later time. There is never any need or ability for 
the key code S to be shared. 40 

Claims 

1. A method of providing a remote accessing 

system, which system comprises a base unit 45 
(12) and a remote unit (14) adapted to commu- 
nicate with one another via a communication 
link, comprising the steps of providing an in- 
dividual key (S) in the remote unit; registering 
the remote unit with the base unit, which regis- so 
tering step includes (i) establishing a common 
key (P) in the base and remote units, (ii) deriv- 
ing in the remote unit an encrypted common 
key (Q) on the basis of the individual key (S), 
(iii) transferring the encrypted common key 55 
(Q) to the base unit, and (iv) storing the com- 
mon key (P) and the encrypted common key 
(Q) in the base unit; and authenticating the 



remote unit, which authenticating step includes 
(i) obtaining in the base unit a random number 
(R) and an encrypted random number (X) de- 
rived from the random number (R) and the 
common key (P), (ii) transferring to the remote 
unit the encrypted common key (Q) and either 
the random number (R) or the encrypted ran- 
dom number (X), (iii) decrypting in the remote 
unit the encrypted common key (Q) on the 
basis of the individual key (S) to obtain the 
common key (P) and either encrypting the 
received random number (R) or decrypting the 
received encrypted random number (X) on the 
basis of the obtained common key (P) to form 
a value, (iv) transferring the value to the base 
unit, and (v) comparing the value with its asso- 
ciated random number (R) or encrypted ran- 
dom number (X) obtained in the base unit. 

2. A method according to claim 1, wherein the 
common key (P) is established by exponential 
key exchange. 

3- A method according to claim 1, wherein the 
common key (P) is established by a cryp- 
tographic method. 

4. A method according to claim 1 , 2 or 3, wherein 
the step of establishing a common key (P) 
includes the steps of passing a random seed 
(A) to the remote unit (14) and generating with 
the individual key (S) and the seed (A) a num- 
ber (F) for use in establishing the common key 
(P). 

5. A method according to any preceding claim, 
wherein the step of comparing the value with 
its associated random number (R) or encryp- 
ted random number (X) determines that a 
match exists when the value is substantially 
equal to its associated random number (R) or 
the encrypted random number (X). 

6. A method according to any preceding claim, 
wherein the step of authenticating the remote 
unit (14) comprises the steps of transferring an 
identification code (ID) to the remote unit, com- 
paring in the remote unit the received iden- 
tification code (ID) with an identification code 
(ID) stored in the remote unit, and transferring 
a reply signal to the base unit when the re- 
ceived identification code substantially match- 
es the stored identification code, the base unit 
obtaining the random number (R) and the en- 
crypted random number (X) on receipt of the 
reply signal. 

7. A method according to any preceding claim, 
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© Access to a vehicle by a remote electronic key 
(14) via a radio link is secured by an exchange of 
encrypted signals. A remote unit (14) having a secret 
number (S) is introduced to a base unit (12) and a 
common key (P) is agreed upon by an exponential 
key exchange. The common key (P) is encrypted 
using the secret number (S) and stored in the base 
unit (12). Thereafter, the base unit (12) is able to 
authenticate the identity of the remote unit (14) by 
sending the encrypted common key (Q) and a ran- 
dom number (R) to the remote unit (14) which de- 
crypts the key (Q) and uses it to encrypt the random 
number (R). The random number (R) is also encryp- 
ted in the base unit (12) and compared with the 
encrypted random number (X) from the remote unit 
(14). 
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